Deciphering PPTP

One of Windows NT 4.0's few all-new features is the Point-to-Point Tunneling
Protocol (PPTP). It has puzzled me a bit since it first appeared in NT 4.0 beta
2, because Microsoft didn't document it. The puzzle's now solved, at least for
me. But many people write me about it, so I'm taking a short detour from my name
resolution series to talk about PPTP and accessing your company's intranet from
the Internet.

Not a Connectivity Tool
The first misconception people have about PPTP is that it's somehow a
connectivity tool. It is not; it's a security tool, plain and simple. An example
will help me explain that statement. Suppose your company has an IP-based
network on the Internet. The company's on the East Coast, you're temporarily in
a hotel or at a client site on the West Coast, and NT Workstation 4.0 is on your
laptop. How can you connect to your firm's intranet from across the country?

I've heard several Microsoft people paint this very picture, ask this very
question, and say, "The answer is PPTP." Because that reply is not
entirely right, I want to focus on some methods that could solve the
problem.

The first of several solutions, the simplest approach, is the one that's
been possible since NT 3.1: Set up a Remote Access Service (RAS) server on the
East Coast, put a modem on it, attach a modem to your laptop, and dial in to the
company. This approach is not bad, but it does mean that you'll have to
deal with all the standard pain and suffering of getting a modem on a laptop in
a hotel room to successfully dial long distance. This trick's not impossible,
but it ain't fun either. Further, you'll have to set up modems and phone lines
on the receiving end. On the plus side, the software setup is easy, and you can
dial in whether you're a DOS, Windows for Workgroups, Windows 95, or NT client.
Using RAS to dial in to your firm is a perfectly good idea, but some companies
don't have any dial-in RAS servers because of concern that you can't
properly secure them.

Another approach is a bit sneakier: Get on the Internet, point your Windows
Internet Name Service (WINS) server to the WINS server at the office, and voila!
If your company doesn't have a firewall or some other filtering device between
your company's LAN and the Internet, you'll be able to log on to your NT-based
network right over the Internet.

But if your company is on the Internet, you've got another way into your
network. You're probably a member of some national Internet Service Provider
(ISP) such as America Online (AOL) or CompuServe, and it probably has a local
access number. This access provider lets you dial out to the Internet without a
lot of complex dialing and without breaking the bank--and from the Internet, you
may be able to get to your firm's network.

Set up the Dial-Up Networking script so that you use the TCP/IP protocol to
dial in to the ISP. In the Dial-Up Networking phone book, click Server, and only
TCP/IP will be checked under network protocols. Next to TCP/IP is a button, TCP/IP
settings.... Click it, and then click Specify name server settings.
I don't much care what you do with the Domain Name System (DNS) server value,
but be sure to fill in the Primary WINS Server entry with the IP address
of your company's main WINS server. Then dial up your ISP to get to the
Internet.

Once you connect to the Internet, try opening the Network Neighborhood
folder. You will probably see the flashlight wave around awhile, and after a few
minutes, you'll probably get the list of servers in your workgroup. Although
you're thousands of miles away from your firm's network, you're using its WINS
server, so your system will act just as if you were hooked up to the company
LAN, except of course, for the speed. But wait--what about NT security?

What About Security?
When you log on to your NT laptop, you must punch in a username and
password. Assume that you enter the same username and password as you do on the
network in the office. Now suppose your workstation tries to ask the NT network
back home some kind of privileged question, such as "What shares are on
server XYZ?" The server will ask your workstation for credentials. Your
workstation says something like, "Well, Joe with password SWORDFISH is
sitting on me." If your domain account name is Joe and your password is
SWORDFISH, you'll be invisibly logged on to the domain. If not, NT will pop up a
box that says something like, "Incorrect password for user Joe."

In some cases, NT will ask just for a password, and in other cases, it'll
ask for a username and password. Be sure to enter the username in the form <domainname>\<username>
(for example, SALES\Patricia), so that the network knows which domain to search
for your account. After one successful security challenge, the network will
treat you like a local user, except of course, for the speed.

But most firms won't let just anyone connect to the corporate network over
the Internet. Instead, companies use some security device between the Internet
and their intranet. PPTP is such a device.

Wrapping Paper
PPTP is a relatively new Internet protocol. The idea is simple: Just as
Point-to-Point Protocol (PPP), the common dial-up Internet protocol, acts as a
kind of wrapping paper for delivering protocol blocks of all kinds, PPTP acts as
a kind of wrapping paper for PPP.

Put simply, you want your laptop in San Francisco to be able to deliver
some file server-oriented requests ("Please log me on," "Please
print this on the print servers," "Please get me this data from the
file servers") straight to your company's servers. Once you're on the
company network, a security manager has a hard time monitoring and controlling
what you're doing. Worse yet, if you're directly connected and logged on to an
NT network, the security manager has no way to disconnect you, short of finding
your network cable and unplugging it. In contrast, denying dial-in users access
to the network has always been simple--just go to RAS Administrator and
disconnect them. The ability to just as easily disconnect people who attach to
your company network through the Internet is appealing--and PPTP gives it to
you.

With PPTP, your PC sends its PPP packets to a RAS server. The RAS server
then unpacks these packets and puts them on the company network, so you can use
the company's servers. But any time an administrator wants to cut you off from
the network, that person only needs to run RAS Administrator and disconnect you;
it's as simple as that. Of course, for maximum protection, a company has to set
up the RAS PPTP server so that it is the gateway to the Internet--a PC
with a WAN link to the Internet and a LAN link to the company LAN.

Getting onto a network via PPTP involves three steps. First, back at the
office, you must have an NT machine running the RAS server with PPTP enabled.
That machine will validate PPTP logons. So it can even act as a kind of firewall
if it stands between the Internet and the company's intranet.

Next, on the client side, you first have to install PPTP. You install it in
Control Panel in the Networking applet under Protocols. Then you must get onto
the Internet. You either physically connect to a network on the Internet or use
RAS to dial in to an ISP. If you're dialing in to an ISP, you will, of course,
tell RAS to dial with your modem. Remember that point: In a minute, it'll be
important.

Then, once your IP stack is running, open RAS and create a phone book
entry. This new entry will not dial out on the modem. Instead, it'll
dial out on a device called VPNPPTP1, a sort of logical modem that activates
PPTP and establishes a connection with the RAS server running PPTP. You tell
your computer to use the phone number field in the phone book entry to find that
RAS server. Don't enter a phone number there; enter the RAS server's DNS name or
IP address.

That entry was the part that threw me, so let me review what you
have to do to use PPTP to connect to a network from afar. Unless you have a LAN
connection, you'll run Dial-Up Networking twice: first to dial up the ISP, and
second to establish the PPTP connection. For that first dialup, you'll use the
modem device and specify the phone number of the ISP. The second time you run
Dial-Up Networking, you'll specify the VPNPPTP1 device--instead of the phone
number--and use the IP address or DNS name of the RAS server you want to connect
to.

Poor Person's Firewall
At first glance, PPTP looks like an interesting idea, kind of a poor
person's firewall (and as an extra advantage, PPTP lets you entirely encrypt the
communication, solving the problem of Internet security). Between PPTP and the
Microsoft Proxy Server, Microsoft is apparently thinking seriously about the
problems of security and Internetting. Stay tuned, and I'll tell you more as I
find it out!